The open-source Apache Software Foundation recently suffered a cross-site scripting (XSS) attack against its infrastructure that resulted in users' passwords being compromised.
The targeted attack allowed hackers to break into the server hosting Apache.org's issue and request tracking software, Atlassian JIRA, and steal encrypted passwords, the Apache Infrastructure team revealed in a blog post Tuesday. Hackers carried out the attack on April 5 by sending an error report to Apache and including a TinyURL link containing an XSS exploit. Several Apache administrators clicked on the link, compromising their sessions.
Encrypted passwords were ultimately stolen for users of the Apache-hosted JIRA issue tracking and project tracking software, Bugzilla bug tracking software, and Confluence enterprise collaboration and wiki software, Apache said.
“We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords,” the group said.
Along with the XSS attack, hackers simultaneously launched a brute-force attack, attempting hundreds of thousands of password combinations, against the JIRA login.jsp. On April 6, the brute-force method was successful and hackers gained administrator privileges on a JIRA account and were able to browse and copy the file system.
“The attackers used this access to create copies of many users' home directories and various files,” Apache said.
Three days after the successful brute-force attack, hackers installed a file that collected and saved all passwords when users logged on. In addition, they sent password reset messages to Apache's infrastructure team, which successfully duped members into revealing their passwords. One of these stolen passwords allowed attackers to gain full root access to a machine that hosted Apache installs of JIRA, Bugzilla and Confluence.
Shortly after the password reset, Apache's infrastructure team caught wind of the attack and began shutting down services and moving them to a different machine. By Tuesday, Atlassian provided a patch for JIRA to prevent the XSS attack.
JIRA and Bugzilla have been back online since Saturday, but the Confluence wiki still remains offline.
The Apache Software Foundation is a group that provides support for Apache's open-source software projects, including its popular web server.